From 6f26e2684609c55e49408eb8a3436e6cd6bb33cd Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 28 Jun 2022 15:16:52 +0200
Subject: [PATCH] rules: bitsadmin coverage

---
 ...ion_win_bitsadmin_download_susp_domain.yml | 47 ++++++++++++++
 ...eation_win_bitsadmin_download_susp_ext.yml | 64 +++++++++++++++++++
 ...reation_win_bitsadmin_download_susp_ip.yml | 53 +++++++++++++++
 ...n_bitsadmin_download_susp_targetfolder.yml | 41 ++++++++++++
 ...tsadmin_download_uncommon_targetfolder.yml | 41 ++++++++++++
 5 files changed, 246 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml

diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml
new file mode 100644
index 000000000..1a7b53840
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml
@@ -0,0 +1,47 @@
+title: Bitsadmin Download from Suspicious Domain
+id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
+status: experimental
+description: Detects usage of bitsadmin downloading a file from a suspicious domain
+references:
+    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
+    - https://isc.sans.edu/diary/22264
+    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1197
+    - attack.s0190
+    - attack.t1036.003
+date: 2022/06/28
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\bitsadmin.exe'
+        CommandLine|contains: 
+            - ' /transfer '
+            - ' /create '
+            - ' /addfile '
+    selection_domain:
+        CommandLine|contains: 
+            - 'raw.githubusercontent.com'
+            - 'gist.githubusercontent.com'
+            - 'pastebin.com'
+            - 'cdn.discordapp.com/attachments/'
+            - 'mediafire.com'
+            - 'mega.nz'
+            - 'ddns.net'
+            - '.paste.ee'
+            - '.hastebin.com'
+            - '.ghostbin.co/'
+            - 'ufile.io'
+            - 'storage.googleapis.com'
+    condition: all of selection*
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Some legitimate apps use this, but limited.
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml
new file mode 100644
index 000000000..1d5d7a4ed
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml
@@ -0,0 +1,64 @@
+title: Bitsadmin Download File with Suspicious Extension
+id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
+status: experimental
+description: Detects usage of bitsadmin downloading a file with a suspicious extension
+references:
+    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
+    - https://isc.sans.edu/diary/22264
+    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1197
+    - attack.s0190
+    - attack.t1036.003
+date: 2022/06/28
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\bitsadmin.exe'
+        CommandLine|contains:
+            - ' /transfer '
+            - ' /create '
+            - ' /addfile '
+    selection_extension:
+        CommandLine|contains: 
+            - '.asax'
+            - '.ashx'
+            - '.asmx'
+            - '.asp'
+            - '.aspx'
+            - '.bat'
+            - '.cfm'
+            - '.cgi'
+            - '.chm'
+            - '.cmd'
+            - '.gif'
+            - '.jpeg'
+            - '.jpg'
+            - '.jsp'
+            - '.jspx'
+            - '.png'
+            - '.ps1'
+            - '.psm1'
+            - '.scf'
+            - '.sct'
+            - '.txt'
+            - '.vbe'
+            - '.vbs'
+            - '.war'
+            - '.wsf'
+            - '.wsh'
+            - '.zip'
+            - '.rar'
+            - '.dll'
+    condition: all of selection*
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml
new file mode 100644
index 000000000..a0c63837b
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml
@@ -0,0 +1,53 @@
+title: Bitsadmin Download File from IP
+id: 99c840f2-2012-46fd-9141-c761987550ef
+status: experimental
+description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
+references:
+    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
+    - https://isc.sans.edu/diary/22264
+    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1197
+    - attack.s0190
+    - attack.t1036.003
+date: 2022/06/28
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\bitsadmin.exe'
+        CommandLine|contains:
+            - ' /transfer '
+            - ' /create '
+            - ' /addfile '
+    selection_extension:
+        CommandLine|contains:
+            - 'http://1'
+            - 'http://2'
+            - 'http://3'
+            - 'http://4'
+            - 'http://5'
+            - 'http://6'
+            - 'http://7'
+            - 'http://8'
+            - 'http://9'
+            - 'https://1'
+            - 'https://2'
+            - 'https://3'
+            - 'https://4'
+            - 'https://5'
+            - 'https://6'
+            - 'https://7'
+            - 'https://8'
+            - 'https://9'
+    condition: all of selection*
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml
new file mode 100644
index 000000000..12bf28d94
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml
@@ -0,0 +1,41 @@
+title: Bitsadmin Download to Suspicious Target Folder
+id: 2ddef153-167b-4e89-86b6-757a9e65dcac
+status: experimental
+description: Detects usage of bitsadmin downloading a file to a suspicious target folder
+references:
+    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
+    - https://isc.sans.edu/diary/22264
+    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1197
+    - attack.s0190
+    - attack.t1036.003
+date: 2022/06/28
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\bitsadmin.exe'
+        CommandLine|contains:
+            - ' /transfer '
+            - ' /create '
+            - ' /addfile '
+    selection_folder:
+        CommandLine|contains: 
+            - 'C:\Users\Public\'
+            - '%public%'
+            - 'C:\Windows\Temp\'
+            - '%temp%'
+            - 'C:\ProgramData\'
+            - '%ProgramData%'
+    condition: all of selection*
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
new file mode 100644
index 000000000..3282e8630
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
@@ -0,0 +1,41 @@
+title: Bitsadmin Download to Uncommon Target Folder
+id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
+status: experimental
+description: Detects usage of bitsadmin downloading a file to uncommon target folder
+references:
+    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
+    - https://isc.sans.edu/diary/22264
+    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1197
+    - attack.s0190
+    - attack.t1036.003
+date: 2022/06/28
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\bitsadmin.exe'
+        CommandLine|contains:
+            - ' /transfer '
+            - ' /create '
+            - ' /addfile '
+    selection_folder:
+        CommandLine|contains:
+            - 'C:\Windows\Temp\'
+            - '%temp%'
+            - 'C:\ProgramData\'
+            - '%ProgramData%'
+            - '\AppData\Local\'
+            - '%AppData%'
+    condition: all of selection*
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: medium